[00:03.420 --> 00:09.240]  ... aerospace systems, a changing paradigm and how you can help.
[00:10.100 --> 00:14.260]  First, let me quickly introduce you to our presenters from TALIS.
[00:14.260 --> 00:21.420]  We have Yannick LeRae, Head of Pre-Sales and International Development for Cybersecurity Consulting and Operations.
[00:21.560 --> 00:28.700]  We also have Lawrence Rowell, who is the Director of Product Cybersecurity for our Connected Cabin and In-Flight Entertainment Systems.
[00:28.700 --> 00:36.420]  And finally, we have Natalie Faith, who is Chief Information and Product Security Officer for Global Avionics Systems.
[00:37.520 --> 00:52.020]  The focus of today's session is to show how industry design, attack, learn, and improve critical aerospace systems to cybersecure avionics, passenger systems, and air traffic management systems.
[00:52.020 --> 00:58.000]  First, we will speak to the changing requirements and what digital transformation has done for cybersecurity.
[00:58.580 --> 01:04.880]  Then, we will explain our paradigm shift with respect to the design of our systems.
[01:04.980 --> 01:11.380]  And finally, we will talk about how we integrate good faith hacking and create a chain of trust.
[01:11.960 --> 01:16.820]  So, let's start with Yannick to talk about digital transformation and cybersecurity.
[01:17.200 --> 01:18.440]  Yannick, over to you.
[01:18.440 --> 01:27.700]  Thank you, Adam. We wish we would be there physically. However, due to COVID-19, we're having this virtual presentation.
[01:27.700 --> 01:33.960]  Hopefully, we'll be there all together next year for the next DEF CON.
[01:33.960 --> 01:36.920]  So now, let's talk about digital transformation and cybersecurity.
[01:37.140 --> 01:41.220]  Today, aviation sector is leading to digital transformation.
[01:41.220 --> 01:48.400]  This playground represents an international and complex ecosystem with a wide threat surface exposure for attackers.
[01:48.560 --> 01:53.280]  As you can see in this slide, there are many targets to be protected.
[01:53.760 --> 01:59.520]  And some of them, we can talk about the air traffic control and air navigation systems.
[01:59.620 --> 02:07.500]  We can talk about the connected aircraft, the airport, the airline maintenance control center, as well as the UAVs and drones.
[02:07.500 --> 02:12.940]  These targets are associated with multiple risks and have risk exposure.
[02:12.940 --> 02:20.280]  And therefore, we need to be coherent and with a global approach to better understand and reduce the risk.
[02:22.950 --> 02:30.430]  As I said previously, aeronautics environment is leading to digital transformation with an open and connected world.
[02:30.430 --> 02:35.970]  Digital transformation leads to data-driven organization and therefore cybersecurity.
[02:35.970 --> 02:40.250]  Knowing that, for aeronautics, safety is the first priority.
[02:40.250 --> 02:48.630]  We must secure stakeholders' trust as well as safety-critical aeronautics system putting the passenger as our first priority.
[02:48.630 --> 02:52.810]  No digital transformation without trust. No trust without cybersecurity.
[02:53.430 --> 02:58.260]  This connected environment raises two challenges for aerospace ecosystem.
[02:58.260 --> 03:09.760]  First, safety and security stake, requiring to keep up in a safety environment, setting up cybersecurity conditions across all system lifecycle.
[03:10.000 --> 03:17.440]  And second, business continuity, needing to value cybersecurity to help prevent business operational disruptions.
[03:17.440 --> 03:20.540]  Now, let's talk about the hackers in this environment.
[03:20.780 --> 03:24.620]  We're going to talk about ethical, good-faith hackers.
[03:25.360 --> 03:28.780]  We aim to provide the best possible practices.
[03:29.580 --> 03:36.820]  And we want to make sure our solutions and services as well as our customers' infrastructures are cyber-secure.
[03:36.900 --> 03:43.700]  And therefore, we perform, for example, risk analysis and pen test using our own hackers.
[03:43.700 --> 03:48.800]  And for sure, we're talking about ethical hackers and ethical-talent hackers.
[03:48.800 --> 03:51.380]  These hackers can act through the Internet.
[03:51.380 --> 04:04.280]  For example, from one of our air navigation service provider customer, we've been able through some services that we provided to them through a contract.
[04:04.280 --> 04:08.840]  We've been able to penetrate their power generation systems.
[04:08.840 --> 04:19.420]  And this was enabling us to go into their server, which turned on and off the whole air traffic center.
[04:19.420 --> 04:29.540]  All this through our own facilities in France, going in their own air traffic control, where it was not for sure in France.
[04:29.580 --> 04:35.540]  And other tools that we have are specific simulation environments.
[04:35.540 --> 04:40.040]  As you can see in this slide, we have the red team versus the blue team.
[04:40.040 --> 04:45.020]  With our simulation environments, we're able to implement the infrastructure of our customer,
[04:45.020 --> 04:49.860]  their operational infrastructure, where the red team is our own hackers,
[04:49.860 --> 04:54.860]  which mission is to, of course, attack the vulnerabilities of the system.
[04:54.860 --> 04:57.020]  And the blue team is our customers.
[04:57.020 --> 05:05.180]  Our customers in this environment are there to be trained and see if they are cyber secure.
[05:05.180 --> 05:07.480]  Also, their system is cyber secure.
[05:07.480 --> 05:13.140]  More and more, we need ethical hackers able to master specific sector expertise.
[05:13.460 --> 05:16.100]  This sector expertise is very specific.
[05:16.100 --> 05:18.420]  We're not talking about only ISIT.
[05:18.420 --> 05:21.420]  We're talking about operational technologies.
[05:21.420 --> 05:28.800]  More and more, we're facing attackers who are aiming at this type of equipment
[05:29.300 --> 05:35.880]  and trying to be more and more specific to their attacking.
[05:35.880 --> 05:41.320]  And I know the floor to Lawrence will develop more on what we do in terms of avionics.
[05:41.320 --> 05:42.180]  Lawrence?
[05:42.540 --> 05:43.780]  Thanks, Yannick.
[05:43.780 --> 05:47.240]  Okay, so when we're talking about this changing paradigm,
[05:47.240 --> 05:52.500]  it's really important to understand the current and historical state of affairs.
[05:52.640 --> 05:57.620]  In other words, how has security been managed to this point and why?
[05:57.620 --> 06:02.080]  And then we're also going to talk about what is changing to drive the new paradigm.
[06:02.680 --> 06:09.140]  So at TALIS, the high-level approach to cybersecurity is defined by nine cybersecurity rules.
[06:09.140 --> 06:12.960]  One of the rules is really important to this audience in this conversation
[06:12.960 --> 06:16.160]  because it speaks directly to penetration testing.
[06:17.280 --> 06:22.000]  Oftentimes, we use a gray box approach with third-party pen testers
[06:22.000 --> 06:24.740]  and we give them a limited amount of information
[06:24.740 --> 06:29.500]  so they have some understanding about the system components and overall architecture
[06:30.160 --> 06:33.340]  and they can test all the threat vectors.
[06:33.840 --> 06:39.300]  This is good and it's a great start considering where we are today,
[06:39.300 --> 06:45.520]  but it also serves as a very good example of a security practice
[06:45.520 --> 06:48.300]  that does not really reach its full potential.
[06:49.320 --> 06:56.740]  The model I just described is performed by a limited number of people for a limited amount of time.
[06:57.480 --> 07:00.600]  They also only have a limited amount of information
[07:02.320 --> 07:08.800]  and it's done in a closed environment that is not really remotely accessible
[07:09.160 --> 07:12.740]  due to policy and other technical limitations today.
[07:12.740 --> 07:18.140]  This approach does not really leverage the full power of the good faith hacking community
[07:19.100 --> 07:29.920]  and ultimately, it results in what can only be called as a limited snapshot into a product's security posture.
[07:31.320 --> 07:40.940]  And we must admit the culture of aerospace and aviation has really kind of contributed to this approach that we have today.
[07:42.160 --> 07:47.080]  Vulnerability management in aerospace and aviation is pretty difficult.
[07:47.360 --> 07:51.760]  Updating the product, in most cases, is not easy.
[07:51.840 --> 07:57.400]  And this is even true for the non-safety critical part of the aircraft.
[07:57.500 --> 08:04.920]  It usually takes a lot of time, a lot of money, and usually a lot of lost revenue
[08:04.920 --> 08:09.680]  to update the system, the aircraft systems.
[08:11.460 --> 08:16.360]  Historically, this has kind of contributed to a closed type of thinking.
[08:16.540 --> 08:22.700]  You know, along the lines of, hey, if we don't look hard enough, we'll never find anything
[08:22.700 --> 08:25.580]  and therefore we must not have a problem.
[08:26.360 --> 08:32.160]  The good news is that this mentality, we're seeing a change with this.
[08:32.160 --> 08:39.700]  In a recent Atlantic Council survey, 84% of aviation professionals that were polled
[08:39.700 --> 08:45.410]  indicated that cybersecurity researchers are good for aviation.
[08:45.740 --> 08:50.460]  So, now is the time for the industry to improve.
[08:50.460 --> 08:52.400]  And we can do better.
[08:52.400 --> 08:58.900]  But first, it's important to understand the factors that are driving this shift in thinking
[08:58.900 --> 09:02.800]  before we try to answer the question of how we do better.
[09:05.670 --> 09:10.550]  Let's use the cabin of today's commercial aircraft as an example.
[09:10.550 --> 09:14.910]  It makes sense to look here first for a couple of reasons.
[09:15.150 --> 09:18.890]  This portion of the aircraft is not deemed safety critical.
[09:19.530 --> 09:24.850]  Therefore, it lends itself to the fastest changes and is going through a rapid evolution
[09:24.850 --> 09:31.290]  in terms of the technologies and systems deployed to satisfy the airline customer.
[09:31.750 --> 09:39.390]  This means this area of aviation will embrace the good faith hacking community the fastest
[09:39.390 --> 09:41.670]  and with relative ease.
[09:41.670 --> 09:46.090]  And it will likely influence other areas of aviation.
[09:46.770 --> 09:52.610]  So, everyone knows the majority of commercial aircraft are connected to the internet.
[09:52.610 --> 09:56.110]  Wi-Fi is viewed as critical for today's passenger.
[09:56.550 --> 10:02.090]  There are also several other changes that are bringing the comforts of the living room
[10:02.450 --> 10:05.130]  into the cabin in today's passenger.
[10:05.790 --> 10:10.510]  So, if we take a look at the inflight entertainment system, it's a really good example.
[10:10.810 --> 10:14.010]  It's becoming much more complex in several ways.
[10:14.970 --> 10:21.810]  There's an increasing selection of movies and other entertainment content that has not been released to the public.
[10:21.810 --> 10:26.050]  This requires protection and ongoing security testing.
[10:26.050 --> 10:30.510]  There's a large influx of third-party applications and games.
[10:30.510 --> 10:37.470]  And these are games that are not from the Apple App Store or Google Play and have been validated by Apple and Google.
[10:37.470 --> 10:40.970]  These require ongoing security testing as well.
[10:42.030 --> 10:46.930]  E-commerce and shopping options are constantly expanding.
[10:46.930 --> 10:52.670]  Along with more convenient ways to pay for your goods and services.
[10:53.430 --> 10:58.210]  And this includes the introduction of technologies like near-field communication.
[10:58.670 --> 11:02.170]  The amount of personal information is increasing.
[11:02.170 --> 11:06.090]  With airlines providing a much more personalized service.
[11:06.090 --> 11:08.890]  With more convenient payment systems.
[11:08.890 --> 11:18.190]  And this also includes the introduction of advertising that is targeted to specific passengers with their demographic information.
[11:18.190 --> 11:27.210]  In order to support all of this, the number of interfaces on the aircraft that are accessible by the passenger from their seat is increasing.
[11:27.330 --> 11:34.710]  This includes things like USB, Bluetooth, touchscreen, near-field communication, and Wi-Fi.
[11:34.710 --> 11:38.910]  Now consider this is only part of the overall equation.
[11:41.980 --> 11:50.920]  All of these solutions I just described to support e-commerce, entertainment, and personalization are supported by a constantly expanding ground infrastructure.
[11:51.260 --> 11:56.060]  And this ground infrastructure, it has similar cybersecurity risks.
[11:56.060 --> 12:00.900]  It's exposed to the same regulatory requirements like PCI and GDPR.
[12:01.260 --> 12:03.440]  But there's a big difference.
[12:03.440 --> 12:08.680]  These environments look and feel much more like a traditional IT environment.
[12:09.780 --> 12:20.820]  So, one positive aspect of this is that IT-oriented DevOps teams have already started to embrace practices like crowdsourced pen testing.
[12:21.580 --> 12:31.520]  So, in the case of aviation and aerospace, this will be a force that will drive the overall industry towards engaging the GoodFaith hacking community.
[12:32.620 --> 12:41.340]  So, before I finish, there's one last thing I'd like to mention about how we are seeing COVID, the COVID pandemic, impact this paradigm shift.
[12:42.080 --> 12:51.680]  Third-party pen testers who were previously required to be on premise to pen test certain products and solutions cannot travel and be on site to do this.
[12:51.680 --> 12:54.340]  Yet, the pen testing still must be conducted.
[12:55.330 --> 13:06.500]  So, we are seeing companies quickly adapting, changing their policies and methods to do remote pen testing whenever possible.
[13:06.500 --> 13:13.600]  Obviously, this is going to be a challenge when it comes to systems and products with physical interfaces.
[13:13.820 --> 13:18.080]  But we still see a rapid evolution coming in this area.
[13:18.080 --> 13:25.360]  So, COVID is actually knocking down some of the previous barriers when it comes to embracing the GoodFaith hacking community.
[13:25.680 --> 13:34.260]  To summarize, these changes have increased the number of assets that need protection while also increasing the number of threat vectors.
[13:34.340 --> 13:42.760]  At the same time, we see the aviation community's attitude and view on embracing the GoodFaith hacker is changing.
[13:42.760 --> 13:51.620]  This means now is the time to do this. It's time to embrace the GoodFaith hacking community and look at changing the traditional approach to cybersecurity.
[13:52.660 --> 13:59.600]  Now, I'll hand it over to Nathalie to talk about how we can do this in collaboration with the GoodFaith hacking community.
[14:00.340 --> 14:09.900]  Thank you, Laurent. You're right. We need to see more on how to integrate those hacking activities in our engineering and operations.
[14:09.900 --> 14:18.020]  So, I will use the NIST framework, which is what we are following, to explain our constraints about that.
[14:18.260 --> 14:26.400]  So, when we discuss with Laurent on when in this cycle it will be easiest to integrate GoodFaith hackers.
[14:27.400 --> 14:36.640]  During the identify and protect phase, it's more where we do risk assessments, not the theoretical part, not that easy.
[14:36.640 --> 14:46.580]  But definitely during the design phase, it's important, and more naturally into the in-service phase.
[14:46.620 --> 14:53.420]  So, those two phases, the during design phase and in-service phase, seems natural to me.
[14:54.380 --> 15:01.240]  Today, it's obviously during in-service that we have already interactions with hackers.
[15:01.240 --> 15:08.560]  I will tell a little story about a CV that has been published on the Thales Cabin product.
[15:09.340 --> 15:22.120]  And we all know that there is room for improvement in this area to render this interaction more fruitful and this dialogue more fruitful between industry and hackers.
[15:22.120 --> 15:25.020]  We will discuss that afterwards.
[15:25.020 --> 15:30.240]  Now, I would like definitely to focus on the during design phase.
[15:30.240 --> 15:37.840]  Why? Simply because for us, it's where it is the easiest to patch and to remediate.
[15:38.160 --> 15:48.540]  And this is also the good place where we can confront the theory of the attack path that we imagine with the real practice with hackers.
[15:48.620 --> 15:51.680]  And have the good coverage about it.
[15:51.680 --> 16:02.580]  And the most we spend time on cyber robustness, the most we are saving also money, to be honest, in the operational phase and in the in-service phase.
[16:02.900 --> 16:11.620]  So now, when we think about how we can manage this during design phase, it's not easy.
[16:11.620 --> 16:24.900]  Today, I have no example of our airborne system being virtualized and put in a cloud and accessible through a web portal for you to do pen tests.
[16:24.980 --> 16:33.360]  As explained by Lawrence, we are performing our own pen tests directly in our labs.
[16:33.360 --> 16:36.740]  So you need to imagine fully representative labs.
[16:36.740 --> 16:47.940]  For example, Cabin, you have an instance of the economy class, first class, business class, and it's big halls run by us.
[16:47.940 --> 16:55.180]  And they are running 24 hours a day and 356 days a year.
[16:55.180 --> 17:11.520]  So you can imagine how it's not easy to organize a pen test sequence in such labs, which are used to improve our product and ensure customer new functionalities.
[17:12.620 --> 17:20.620]  So, to be clear, there is also, due to the fact we are on special technology,
[17:20.620 --> 17:27.560]  if you want to get good-faith hackers working with us, for example, through a bug bounty program,
[17:27.560 --> 17:37.640]  then there is an investment to be done on hacker side, because you need to enter into specific technology dedicated for aviation.
[17:37.660 --> 17:43.860]  For example, we don't have Ethernet. We have AFDX, which is a rank 664.
[17:44.860 --> 17:54.130]  This is Ethernet-oriented for safety. And there are lots of examples of that on protocols, on operating systems.
[17:54.420 --> 18:00.300]  And this is driven by safety-related requirements.
[18:00.300 --> 18:11.970]  So when we discussed about bug bounty company on how to organize better interactions with good-faith hackers,
[18:11.970 --> 18:22.290]  they mentioned to us they have already this kind of program for ICT suppliers or, for example, automotive system providers.
[18:23.250 --> 18:35.570]  But with the change in paradigm, as mentioned by Lawrence, I think that we are now moving to virtualized simulation benches and labs,
[18:35.570 --> 18:47.590]  more connected simulation benches and labs. And this is a kind of cyber train, and I think it's promising.
[18:47.590 --> 18:54.850]  For ground system and ground infrastructure, we just need to follow what is a good practice in other sectors,
[18:54.850 --> 19:02.070]  since they are more IT-related, and we can easily move to classical bug bounty programs.
[19:02.070 --> 19:10.110]  So to summarize on how we can work together during the design phase, I think there are two tracks we can work on.
[19:10.110 --> 19:18.010]  The first one is dedicated bug bounty programs, where you come to our big halls and labs.
[19:18.010 --> 19:29.910]  And the second would be more to develop, and it is more on our shoulder, cyber twins, which are helping for doing those patents
[19:29.910 --> 19:42.150]  and perhaps being more agile, doing it more often, and with better coverage, and not one or two persons during some days or weeks.
[19:42.890 --> 19:52.650]  So okay, I hope it's clear. Now we'll go for the second phase, which is the in-service phase, to explore what we can do.
[19:52.650 --> 20:02.590]  So here, this is another story. You see the title, we call that managing continuous security. It's not for you, it's for our customers,
[20:02.590 --> 20:12.530]  for them to understand that security is a long road where you need to update regularly due to the fact that new attacks are coming.
[20:13.170 --> 20:18.810]  And in the in-service phase, the NIST framework is beginning by the detect.
[20:18.810 --> 20:33.950]  This detection comes to us either through our customer services, which is seeing an incident reported by a customer, or this might be an event found on the internet.
[20:33.950 --> 20:45.650]  You know, we have a threat intelligence team and services like that, that help us in graphing kind of videos that may be published by hackers,
[20:45.650 --> 20:54.170]  but also more in a standard way, CV, that could be published on our products.
[20:54.550 --> 20:59.810]  So to explain what are the issues today, I will give you an example. I think it's the best.
[20:59.810 --> 21:13.190]  It was a story that happened to us, I think, last year. And in fact, it was a CV published with a high score of 8, which is high specificity.
[21:13.190 --> 21:23.090]  The CVSS is between 1 and 10. And so it was on the in-flight entertainment systems.
[21:23.090 --> 21:32.990]  So first of all, I would like to recall that in-flight entertainment systems are non-critical systems if we consider safety.
[21:32.990 --> 21:43.670]  So this rating is a bit high. And when our incident response team, our PSIRT, investigated about that,
[21:43.670 --> 21:50.090]  they learned that, in fact, it was a vulnerability exploited on a third-party chat application.
[21:50.430 --> 22:03.490]  And in fact, the impact was just you at your seat hacking the chat application, crashing, and not propagating to any other seats, just stand alone on the seat.
[22:03.490 --> 22:12.350]  So it was a bit surprising to us that Mitre, even Mitre, has ranked this vulnerability at a level of 8.
[22:12.350 --> 22:22.790]  But finally, we get in touch with the hacker, we had a discussion, and we say that this CVSS score was far too high.
[22:23.450 --> 22:40.150]  And so when you see such a situation, and we generalize it, so from the case like that, what are the drawbacks in such a way of managing vulnerability disclosure?
[22:40.150 --> 22:47.790]  So today, there is no direct notification to our incident response team, product incident response team.
[22:48.610 --> 23:00.110]  So as a consequence, there might be a very long time, more than two weeks, before we get in touch really with the good-faith hacker and understand.
[23:00.110 --> 23:14.110]  And also, as this is illustrated here, our sector is not really understood today. You have seen the high rating by Mitre.
[23:14.150 --> 23:29.510]  So we need to have this kind of education. And hopefully, there are major airlines, and so they are kind enough, since they are doing their own risk assessments, to tune the level of patching.
[23:29.510 --> 23:53.710]  But if it wouldn't have been the case in this story we had, imagine you need to know the exact configuration, product configuration, which aircraft, replace the exploit on our big labs, find the source code, develop the patch, then again test in the big labs.
[23:53.710 --> 24:12.210]  And it's not finished. You need to go to a real aircraft to obtain what is called the field supplier acceptance tense, which is provided by the airline for them to deploy the patch by ensuring it has no secondary effects on the system.
[24:12.590 --> 24:19.810]  And believe me, the best we did for this type of operation was something like three weeks.
[24:19.810 --> 24:40.730]  And even today, there are some patches that we delivered, something like more than one year, that are not yet deployed by some airlines, because it's a long process to deploy on all fleets a patch, and knowing that some aircraft are under maintenance and things like that.
[24:40.950 --> 24:49.090]  So what I would like to have in the future, in a better disclosure program, would be the following.
[24:49.090 --> 24:59.250]  First, establishing direct exchange with the good face hacker. I think it's really important for us to understand and for the hacker to understand also better.
[24:59.470 --> 25:17.530]  Then, establishing clear remediation time and steps before going to publication, because depending on what has been found and what it is impacting, you understand that we don't have the same constraints than in the IT world.
[25:17.530 --> 25:20.210]  So we need more time in some cases.
[25:20.710 --> 25:33.890]  So now, if it's better that way, you would say, okay, if I have a vulnerability to disclose, what are my possibilities today and how can I interact with you?
[25:34.270 --> 25:43.810]  So this is why we have set up first for the whole ecosystem, sharing information capacities.
[25:43.810 --> 25:55.870]  When I say the whole ecosystem, I mean airport, airlines, aircraft manufacturers, suppliers. We have very few maintenance operators, but it's becoming.
[25:56.010 --> 26:00.770]  It has been set up, the first one, more than four years ago.
[26:01.250 --> 26:05.990]  So now, what are the ones you can use?
[26:05.990 --> 26:17.910]  I would advise Aviation Isaac. Aviation Isaac is an aviation information sharing community and they are providing support.
[26:17.910 --> 26:26.490]  They have incident response capacity to facilitate the interactions between the hacker community and the industry.
[26:27.030 --> 26:32.310]  So it's a good point for you if you need.
[26:32.310 --> 26:39.610]  Now, a second one, particularly in Europe, is EXA. It's European Centre for Cyber Security in Aviation.
[26:39.610 --> 26:48.670]  So they don't have an incident response capacity, but last year for DEFCON, for aerospace delayed, they were okay.
[26:48.670 --> 26:56.370]  So they set up a portal for you to enter the different subjects you would like to discuss.
[26:56.370 --> 27:07.510]  And not telling the details, but tell, I don't know, I have something to say about an airport or something to say about a system, an airborne system.
[27:07.510 --> 27:18.750]  And then they are putting you through the good stakeholders that are referenced at EXA, which is important also.
[27:18.910 --> 27:23.690]  So I hope it helps and it will be easier for you now.
[27:27.870 --> 27:45.540]  So to recap, on Thales' side, we are definitely considering that with the changing paradigm, we need to set up plans to embed good-faith hackers in our design and operation phase.
[27:45.540 --> 27:49.860]  And to do this with a win-win situation for both sides.
[27:50.710 --> 28:00.080]  To tell you, to be honest, without this COVID crisis, we have scheduled with Lawrence to come to DEFCON.
[28:01.040 --> 28:09.020]  What was scheduled is to bring to you a mini-lab representative of an in-flight entertainment system.
[28:09.740 --> 28:13.090]  One of our latest generation.
[28:13.540 --> 28:17.240]  So that you can have a hands-on exercise on it.
[28:17.240 --> 28:20.620]  And also you can learn and try.
[28:21.720 --> 28:25.560]  So now we have done this webinar.
[28:25.560 --> 28:32.480]  This webinar is there to explain what we do, what are our constraints and challenges.
[28:32.480 --> 28:42.980]  And you have heard Yannick telling how the aircraft is a part of the whole ecosystem.
[28:42.980 --> 28:48.860]  And there is not only aircraft to consider, but all the rest of the ecosystems.
[28:49.380 --> 28:52.880]  Lawrence has explained how is the changing paradigm.
[28:52.880 --> 28:56.720]  How the paradigm is changing, particularly post-COVID.
[28:56.820 --> 29:01.700]  With the need of our pen tests to be done in a distant way.
[29:02.900 --> 29:12.160]  And I've shared my views on how we are seeing the integration of good-faith hackers in our design.
[29:12.160 --> 29:20.700]  And how to improve the vulnerability disclosure for you, for us and for our industry.
[29:20.700 --> 29:27.600]  So I'm sure that good-faith hackers can be part of the chain of trust in aviation.
[29:27.600 --> 29:34.260]  And we need to keep in mind that we are talking about a safety-critical system.
[29:35.140 --> 29:45.400]  So now I will tell you that if we want to get in touch with us, we have a dedicated address.
[29:45.400 --> 29:47.580]  You can see it on the screen.
[29:47.700 --> 29:51.240]  So it's short. I mean it's products, security and citizens' response.
[29:51.240 --> 29:55.280]  So it's really dedicated to what we are delivering.
[29:55.980 --> 29:58.120]  I hope it helps again.
[29:58.140 --> 29:59.840]  So thank you for your attention.
[29:59.840 --> 30:02.340]  And now I let you the floor for the questions.
